GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS

Description:

Describe various steps and tasks to be followed to effectively perform an ... Peruse the documentation (details of functioning of the system, IS objectives ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 32
Provided by: tmskUi
Category:

less

Transcript and Presenter's Notes

Title: GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS


1
GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS
2
OBJECTIVES
  • Understand how controls are evaluated
  • Describe various steps and tasks to be followed
    to effectively perform an information systems
    audit
  • Identify methods, tools and techniques an auditor
    uses in accomplishing the audit objectives

3
AUDIT OF CONTROLS
  • Audit is an evaluation of adequacy controls
  • Security policy and standards
  • Verify whether security policy exists
  • If exists, study for its adequacy, currency and
    procedures for updating
  • If not exists, mention in the audit report with
    suggested contents
  • A corporate security policy is important to
    ensure security awareness through the
    organization and enforcement of security
    standards

4
AUDIT OF CONTROLS
  • Steering Committee
  • One member at Board level, Manager of IS, manager
    of User departments
  • Changes to existing systems and procedures
    approved by SC
  • If a committee does not exist, the auditor should
    include in report and recommend formation of
    committee, specify duties and responsibilities
    and highlight the benefits
  • Business Continuity Planning
  • Verify whether organization has well-documented
    and updated BCP
  • Verify its effectiveness and seek evidence of
    frequency testing of plan, adequacy, currency and
    suggest improvements

5
AUDIT OF CONTROLS
  • Systems Development Methodology
  • Requires strict documentation and procedures
  • Lack of documentation, ad hoc changes to
    programs, different versions of same program
    running in different branches and program
    development are inadvisable procedure
  • Auditor should make a mention of lack of
    procedure, highlight impact of such lapses and
    suggest remedial measures
  • Operational Controls
  • Verify procedures for physical access to
    computerized environment
  • Observe the entry system to verify effectiveness
    of restrictive measures

6
AUDIT OF CONTROLS
  • Environmental Control
  • The working condition of equipments and
    maintenance schedule needs to be checked
  • E.g. temperature control equipment,
    air-conditioning, smoke detectors.
  • Auditor should make comments on this aspect
  • Electric supply
  • Existence and efficacy of voltage stabilizers
    need to be examined
  • Organizational Control
  • Auditor should ask names of employees in IT
    department, their responsibilities and duties
  • Where irregularities are found, auditor should
    highlight and suggest corrective actions

7
GENERAL APPROACH TO PERFORM AN AUDIT
  • Purviewing the environment
  • Understand IS
  • Identifying audit risks
  • Identifying audit evidence
  • Identifying key control points
  • Identifying control weaknesses
  • Verifying veracity of computer files
  • Conducting audit tests
  • Concluding the audit

8
PURVIEWING THE ENVIRONMENT
  • Auditor should purview environment for the
    following reasons
  • Understand environment in which application is
    being run
  • Meet data processing and auditee department to
    prepare list of personnel
  • Assess if computer center has the capacity and
    capability to run audit software
  • Improve auditors IT knowledge base learning
    experience
  • Understand scope of audit and decide areas to
    concentrate on

9
PURVIEWING THE ENVIRONMENT
  • Tasks to perform while purviewing the
    environment
  • Understand audit objectives
  • Define the scope
  • Conduct initial interview
  • Obtain background information
  • Understand audit objectives to get clear
    perspectives on the objectives
  • Has the areas been audited?
  • When was it last audited and what were the
    result?
  • Reason as to why the area has been chosen for
    auditing?
  • Any apprehension about problem existing in the
    area or do problem already exist?

10
PURVIEWING THE ENVIRONMENT
  • Define the scope four Ts which constrain the
    scope of an IT audit
  • Time auditor need to spend time with personnel
    and computer
  • Talent specialized skills required for an IS
    audit
  • Tools specific audit software tools and
    availability of audit staff to utilize them
  • Travel collection of adequate evidence with
    distributed data processing

11
PURVIEWING THE ENVIRONMENT
  • Conduct initial interview audit team should
    meet the personnel of the auditee department and
    project team of the IT department
  • Senior official should also actively associated
    to ensure that IT and auditee department
    cooperate with audit team

12
PURVIEWING THE ENVIRONMENT
  • Obtain background information essential
    information to acquire proper perspective on
    audit objectives through
  • Previous work papers
  • Interviews obtain information about
    organization (organizational chart, write up
    about IS to be audited, internal/external audit
    report)
  • obtain information from IT department
    (organizational chart, policies, procedures,
    standards, detailed list of all hardware and
    operating system)

13
UNDERSTANDING INFORMATION SYSTEMS
  • It is important to
  • Understand the terminology and technical jargon
  • Familiarize himself with the necessary computer
    concepts
  • Gather all possible documentation and understand
    the same
  • Auditor should not get lost in technical details
    density of floppy, speed of the processor etc.
  • Concentrate on IS objectives, understand flow of
    data, and identify audit evidence

14
UNDERSTANDING INFORMATION SYSTEMS
  • Steps involve to understand the information
    systems are
  • Discussion with staff regarding IS and collection
    of relevant documents
  • Develop an application flow chart
  • Verify application flow chart with concerned
    project team in IT department

15
UNDERSTANDING INFORMATION SYSTEMS
  • Discussion with the staff auditee department
    and project team in IT department to be met to
    collect necessary documents
  • Documentation from auditee dep. explain
    non-technical terms what the IS is expected to
    achieve
  • Documentation from IT dep. provide details as
    to how exactly system functions
  • An auditor should
  • Perform input transaction walk through (list
    different types of transactions)
  • Perform systems walk through (understanding of
    computer systems with its different programs)

16
UNDERSTANDING INFORMATION SYSTEMS
  • Peruse the documentation (details of functioning
    of the system, IS objectives and other necessary
    details for the auditor to understand system)
  • Preparation of an application flow chart makes
    use of symbols and provides an easy-to-follow
    pictorial representation of processing flow
  • Auditors should prepare the flow charts
    themselves
  • Verification of application flow chart verify
    accuracy and completeness of flow chart prepared
    by the auditor to the IT project team
  • Ensure that auditor has correctly understood
    details of IS

17
IDENTIFYING AUDIT RISKS
  • Auditor should evaluate all risks physical
    threats(fire, flood, earthquake, storm,etc) and
    others(human errors, omissions, etc)
  • Steps involve
  • Identify risks - Auditor should be familiar with
    application as also IT environment in which
    applications have been developed
  • Determine magnitude of risks and prioritize them
    evaluate risks and prioritize them to their
    magnitude
  • Study the controls for their adequacy

18
IDENTIFYING AUDIT RISKS
  • Commonly associated risks in an IT environment
  • Unreasonable processing wrong value entered in
    computer system
  • Repetition of errors single error in data is
    sufficient to produce large volume of error
  • Cascading of error initial error gives rise to
    another error and so on
  • Incorrect entry of data data which is properly
    authorized could be entered incorrectly e.g.
    on-line system
  • Concentration of responsibilities in one area
    distributed responsibility for implementing
    control among many persons, would highlight any
    failure

19
IDENTIFYING AUDIT EVIDENCE
  • Evidence is needed to support input, processing
    and output
  • Clear understanding of the evidence and its
    identification forms the foundation for
    conducting an effective audit
  • Different types of electronic evidence
  • Computer transactions
  • Source code of program
  • Processing logs
  • System documentation
  • Program documentation
  • User documentation
  • Error messages

20
IDENTIFYING AUDIT EVIDENCE
  • Steps involve to identify evidence
  • Prepare an exhaustive list of all evidence
    produced by system prepare data flow diagram
    that records evidence internal to IS
  • Evidence external to system can be obtained from
    users/system analyst/programmers/security officer
  • Documenting audit evidence auditor should know
    the following
  • Medium data contained in hard disc, floppy or
    tape
  • Format data is stored in different
    ways(serially, consequentially, etc)
  • DBMS data in independent of applications
  • Backup period period of preservation of data
  • Frequency of creation familiar with frequency
    of creation of file
  • Composition of data on the file gather
    information regarding records, formats and layouts

21
IDENTIFYING KEY CONTROL POINTS
  • Auditor need to concentrate on risks of higher
    magnitude and the key controls
  • Key control points are points in system where
    risk is the greatest and controls most important
  • Methodology to assess the weaknesses in control
    points
  • Check List or Questionnaire
  • Matrix
  • Control flow chart

22
IDENTIFYING KEY CONTROL POINTS
  • Questionnaire should be tailored to the
    customers need
  • Check list provide an exhaustive list of items
  • Disadvantage
  • Difficult to understand unless auditor is
    computer literate
  • Compensating controls ignored
  • Matrix is prepared with list of probable
    weaknesses on one side of the matrix and controls
    to strengthen the weaknesses on the other

23
IDENTIFYING KEY CONTROL POINTS
  • Data flow diagram is a graphic presentation of
    the transaction flow is prepared
  • Locating risk on DFD anticipate type of risk
    and envisage control that need to be built in
  • Document the key control on DFD flow charts
    should be prepared and documented

24
IDENTIFYING CONTROL WEAKNESSES
  • Auditor need to assess areas where probability of
    error is high
  • Steps are taken to concentrate on this area to
    strengthen probable weakness
  • Control weaknesses are determined by an auditor
    utilizing his power of judgement
  • Common adopted methodology of identification of
    control weakness are
  • Control flow chart
  • Conflict matrix
  • Transactions/control matrix

25
IDENTIFYING CONTROL WEAKNESSES
  • Control flow charting is a good technique for
    identifying risks and key controls
  • Conflict matrix is a method of identifying a
    conflict of interests. Includes the following
  • Identifying people
  • Identifying conflict actions
  • Completing the matrix

26
IDENTIFYING CONTROL WEAKNESSES
  • Transaction/control matrix is concerned with
    those transaction which make an economic
    commitment to the organization
  • Result in inflow or outflow of cash
  • Process of control assessment consists of
  • Identifying risks study of DFD should identify
    risks
  • Assessing magnitude of risk estimate risks in
    terms of absolute figures
  • Assessing strength of controls identify control
    and estimate their effectiveness
  • Document identified control weaknesses by
    assessing control weaknesses, evaluating
    magnitude of risk, assessing cost of control and
    performing audit tests

27
VERIFYING VERACITY OF COMPUTER FILES
  • Information on files for conducting audit must be
    complete and accurate
  • Tasks to be performed by the auditor to verify
    veracity of files are
  • Decide on the files to be examined files
    selected are those which are needed to test
    weaknesses areas identified
  • Save computer files required files are
    available on time for audit by making copy of
    appropriate master file
  • Verify integrity of computer files and data by
    comparing totals of specific fields of records
    with predetermined totals
  • Ensure that files contain all data he wants

28
CONDUCTING AUDIT TESTS
  • Test some transactions on computer file using
    different tools and techniques to perform
  • Computations add, subtract, multiply, divide
  • Compare two fields
  • Sort data in a required manner
  • Summarize and total data
  • Select data from a file based on a predetermined
    basis
  • Before performing a test, auditor should
    complete
  • Clearly deciding what is expected form audit test
  • Once the decision is taken on what to test,
    determine how to accomplish it

29
CONDUCTING AUDIT TESTS
  • Steps followed to perform an audit test
  • Design a test decide about computer file and
    other electronic evidence, statement of test
    objective, identification of information other
    than computer file
  • Select the tool audit tool may be special
    purpose or general purpose
  • Test the tool test audit software program and
    familiarize with usage of the tool
  • Execute and use test result live production
    data should be used in the place of test data

30
CONCLUDING THE AUDIT
  • Conclude the original objectives, determine the
    audit findings and present recommendations
  • Highlight weaknesses detected during audit,
    causes, magnitude of impact of weaknesses and
    corrective actions
  • Tasks involve in concluding audit
  • Develop findings examines condition and notes
    down significant variation
  • Should be factual and discovered by auditor
  • Based on standards or guidelines against
    conditions evaluated
  • Effect, impact and significance of the variance

31
CONCLUDING THE AUDIT
  • Develop audit recommendation carefully if it is
    useful and feasible
  • Thoroughly understand existing system
  • Clearly state audit findings
  • Consider different alternatives considering cost
    benefits for each solutions
  • Write audit report
  • Executive summary highlighting salient features
  • Explicit recommendation highlighting impact of
    weaknesses and action to be taken
  • Technical jargons avoided
Write a Comment
User Comments (0)
About PowerShow.com